18 Installing and Configuring Oracle Entitlements Server

This chapter describes how to install and configure Oracle Entitlements Server 11g Release 1 (11.1.1).

It discusses the following topics:

18.1 Overview of Oracle Entitlements Server 11g Installation

Oracle Entitlements Server, formerly AquaLogic Enterprise Security, is a fine-grained authorization and entitlement management solution that can be used to precisely control the protection of application resources. It simplifies and centralizes security for enterprise applications and SOA by providing comprehensive, reusable, and fully auditable authorization policies and a simple, easy-to-use administration model. For more information, see "Introducing Oracle Entitlements Server" in the Oracle Fusion Middleware Administrator's Guide for Oracle Entitlements Server.

Oracle Entitlements Server 11g includes two distinct components:

Oracle Entitlements Server Administration Server (Authorization Policy Manager)

This component is included in the Oracle Identity and Access Management 11g Release 1 (11.1.1.5.0) installation and requires Oracle WebLogic Server that creates the Middleware Home directory.

OES Client (Security Module)

This component has its own installer and it is not included in the Oracle Identity and Access Management 11g Release 1 (11.1.1.5.0) installation. The OES Client does not require Oracle WebLogic Server.

18.2 Installing Oracle Entitlements Server Administration Server

This section contains the following topics:

18.2.1 Prerequisites

The following are the prerequisites for installing Oracle Entitlements Server 11g Release 1 (11.1.1):

  • Oracle WebLogic Server 11g Release 1 (10.3.5)

  • One of the following database for the Oracle Entitlements Server policy store:

    • Oracle Database

    • Apache Derby, an evaluation database included in your Oracle WebLogic Server installation

18.2.2 Procedure

Installing Oracle Entitlements Server 11g Administration Server involves the following steps:

18.2.2.1 Oracle Fusion Middleware Certification

It is recommended that you read the Oracle Fusion Middleware Supported System Configurations document. This document provides certification information for Oracle Fusion Middleware, including supported installation types, platforms, operating systems, databases, JDKs, and third-party products related to Oracle Identity and Access Management 11g Release 1 (11.1.1).

You can access the Oracle Fusion Middleware Supported System Configurations document by searching the Oracle Technology Network (OTN) web site:

http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certification-100350.html

18.2.2.2 System Requirements

For more information, see System Requirements.

18.2.2.3 Obtaining the Oracle Fusion Middleware Software

For installing Oracle Entitlements Server Administration Server, you must obtain the following software:

  • Oracle WebLogic Server

  • Oracle Database (Recommended)

  • Oracle Repository Creation Utility

  • Oracle Identity and Access Management Suite

For more information on obtaining Oracle Fusion Middleware 11g software, see Oracle Fusion Middleware Download, Installation, and Configuration ReadMe.

18.2.2.4 Installing Oracle WebLogic Server and Creating the Oracle Middleware Home

Before you can install Oracle Identity and Access Management 11g Release 1 (11.1.1) components, you must install Oracle WebLogic Server and create the Oracle Middleware Home directory.

For more information, see "Install Oracle WebLogic Server" in Oracle Fusion Middleware Installation Planning Guide.

In addition, see Oracle Fusion Middleware Installation Guide for Oracle WebLogic Server for complete information about installing Oracle WebLogic Server.

18.2.2.5 Installing Oracle Database (Recommended)

For more information, see Installing Oracle Database.

Note:

Oracle Entitlements Server also supports Apache Derby 10.5.3.0, an evaluation database included in your Oracle WebLogic Server installation.

18.2.2.6 Creating a Schema for Oracle Entitlement Server

Depending on the policy store you choose for Oracle Entitlements Server, complete one of the following:

Using Oracle Database for Oracle Entitlement Server Policy Store

If you are using Oracle Database for Oracle Entitlements Server policy store, then create an OES schema and an MDS schema by using the Oracle Fusion Middleware Repository Creation Utility (RCU). Refer to Creating Database Schema Using the Oracle Fusion Middleware Repository Creation Utility (RCU) for more information about creating schemas.

Note:

When you create a schema, be sure to remember the schema owner and password that is shown in RCU.

Using Apache Derby for Oracle Entitlement Server Policy Store

If you are using Apache Derby for Oracle Entitlements Server policy store, then you must complete the following:

  1. Open setNetworkServerCP (Located at wlserver_10.3/common/derby/bin on UNIX) or setNetworkServerCP.bat (Located at wlserver_10.3\common\derby\bin on Windows) in a text editor and specify the DERBY_HOME as shown in the following example:

    DERBY_HOME="Oracle/Middleware/wlserver_10.3/common/derby"

  2. Start the Apache Derby database by running the following commands:

    • setNetworkServerCP (UNIX) or setNetworkServerCP.bat (Windows).

    • startNetworkServer (Located at wlserver_10.3/common/derby/bin on UNIX) or startNetworkServer.bat (Located at wlserver_10.3\common\derby\bin on Windows).

    You can also run startDerby.sh (Located at wlserver_10.3/common/bin) or startDerby.cmd (Located at wlserver_10.3\common\bin) to start the Apache Derby database. The Apache Derby database also starts automatically when you start Oracle WebLogic Server.

  3. Test the network server connection, by running ij(Located at wlserver_10.3/common/derby/bin on UNIX) or ij.bat (Located at wlserver_10.3\common\derby\bin on Windows) as follows:

    bin/ij

  4. Connect to the Apache Derby Server, as shown in the following example:

    ij> connect 'jdbc:derby://127.0.0.1:1527/data/oesdb;create=true';

    oesdb is the name of database and data is the relative path (based on the directory where you start the server. In this example, it is Oracle/Middleware/wlserver_10.3/common/derby/bin where the database files will be saved.

  5. Open opss_user.sql (Located at RCU_HOME/rcu/integration/apm/sql/derby) in a text editor and replace &&1 with the schema user name.

    Repeat the above steps for the following SQL files (Located at RCU_HOME/rcu/integration/apm/sql/derby):

    • opss_tables.sql

    • opss_version.sql

    • opss_gencatalog.sql

    Note:

    This is the schema name you will specify when you configure the Oracle Entitlements Server described in Configuring Oracle Entitlements Server Administration Server.

  6. Run the following SQL files (Located at RCU_HOME/rcu/integration/apm/sql/derby) in the ij console:

    • run'opss_user.sql';

    • run'opss_tables.sql';

    • run'opss_version.sql';

    • run'opss_gencatalog.sql';

    Note:

    Ensure that you run the SQL files in the same order listed above and make a note of the schema owner and password that you have created.

18.2.2.7 Starting the Installer

This topic explains the steps that are common to starting most Oracle Identity and Access Management installations and configurations. It begins with starting the Installer and ends after you complete the steps on the Prerequisites Check screen.

Note:

Starting the Installer as the root user is not supported.

Perform the following steps to start an Oracle Identity and Access Management installation:

Note:

Oracle Entitlements Server Administration is a part of the Oracle Identity and Access Management Suite.

  1. Download the contents of the ofm_iam_generic_11.1.1.5.0_disk1_1of1.zip file to a directory. By default, this directory is named ofm_iam_generic_11.1.1.5.0_disk1_1of1.

  2. Change your present working directory to ofm_iam_generic_11.1.1.5.0_disk1_1of1/Disk1 directory under the ofm_iam_generic_11.1.1.5.0_disk1_1of1 folder.

  3. Start the Installer by executing one of the following commands:

    UNIX: <full path to the runInstaller directory>/runInstaller -jreLoc <Middleware Home>/jdk160_24/jre

    Windows: <full path to the setup.exe directory>\ setup.exe -jreLoc <Middleware Home>\jdk160_24\jre

    Note:

    The installer prompts you to enter the absolute path of the JDK that is installed on your system. When you install Oracle WebLogic Server, the jdk160_24 directory is created under your Middleware Home. You must enter the absolute path of the JRE folder located in this JDK when launching the installer. For example, on Windows, if the JRE is located in C:\oracle\Middleware\jdk160_24, then launch the installer from the command prompt as follows:

    C:\setup.exe -jreLoc C:\oracle\Middleware\jdk160_24\jre

    You must specify the -jreLoc option on the command line when using the JDK to avoid installation issues. If this option is not specified on the command line, then you might get the following error:

    InvocationTargetException

18.2.2.8 Installation Screens and Instructions

Follow the instructions in Table 18-1 to install Oracle Entitlements Server.

If you need additional help with any of the installation screens, click Help to access the online help.

Note:

IDM_HOME is mentioned in descriptions and procedures throughout this guide for the Oracle Identity and Access Management home directory. You can specify any name for your IDM_Home directory.

Table 18-1 Installation Flow for the Oracle Entitlements Server

No. Screen Description and Action Required

1

Welcome

Click Next to continue.

2

Install Software Updates

Select one of the following and then click Next:

  • Skip Software Updates: Select this option to skip this screen. The installer will not check for updates that might be applicable to the current product installation.

  • Search My Oracle Support for Updates: If you have a My Oracle Support account, then select this option to have the installer automatically search My Oracle Support for software updates that apply to the software products are about to install.

    Enter your My Oracle Support account name and password, and then click Search for Updates.

    The installer automatically downloads applicable software updates from My Oracle Support.

    Before you search for update, you can test your login credentials and the connection to My Oracle Support by clicking Test Connection. Click Proxy Settings to configure a proxy server if one is required.

  • Search Local Directory for Updates: Select this option if you already downloaded the latest software updates and you want the installer to search a local directory for updates applicable to the products you are about to install.

    When you select this option, the installer displays an additional field and Browse button that you can use to identify the local directory where your updates are located.

3

Prerequisite Checks

If all prerequisite checks pass inspection, then click Next to continue.

Note: You can ignore warnings about missing Operating System Packages. If you using this product for evaluation purpose, then ignore the warning about Kernel Parameter.

4

Specify Installation Location

In the Oracle Middleware Home field, enter the path to the Oracle Middleware Home installed on your system. Ensure that Oracle WebLogic Server is already installed on the system in the same Middleware Home as described in Installing Oracle WebLogic Server and Creating the Oracle Middleware Home. This directory is the same as the Oracle Home created in the Oracle WebLogic Server installation.

In the Oracle Home Directory field, enter a name for the Oracle Home folder that will be created under your Middleware Home. This directory is also referred to as IDM_HOME.

Click Next to continue.

5

Installation Summary

The Summary Page screen displays a summary of the choices that you made. Review this summary and decide whether to start the installation. If you want to modify any of the configuration settings at this stage, select a topic in the left navigation page and modify your choices. To continue installing Oracle Identity and Access Management, click Install.

6

Installation Progress

If you are installing on a UNIX system, you may be asked to run the ORACLE_HOME/oracleRoot.sh script to set up the proper file and directory permissions.

Click Next to continue.

7

Installation Complete

Click Finish to dismiss the installer.

This installation process copies the Oracle Identity and Access Management software to your system and creates an IDM_Home directory under your Middleware Home. You must proceed to create a WebLogic Domain, by running the Oracle Fusion Middleware Configuration Wizard. In addition, you must configure the Administration Server settings while creating the domain.

18.2.2.9 Verifying Oracle Entitlements Server Installation

To verify that your Oracle Entitlements Server Administration Server install was successful, go to your Oracle Middleware Home directory associated with the Oracle Identity and Access Management 11g Release 1 (11.1.1.5.0) installation and verify that the OES folder is created under IDM_HOME.

18.3 Configuring Oracle Entitlements Server Administration Server

This topic describes how to configure Oracle Entitlements Server in a new WebLogic domain. It includes the following sections:

18.3.1 Components Deployed

Performing the configuration in this section deploys the following:

  • WebLogic Administration Server

  • Oracle Entitlements Server application on the Administration Server

18.3.2 Prerequisites

The following are the prerequisites for configuring Oracle Entitlements Server 11g Release 1 (11.1.1):

18.3.2.1 Installing Oracle Entitlements Server

You must install Oracle Entitlements Server Administration Server as described in Installing Oracle Entitlements Server Administration Server.

18.3.2.2 Editing the weblogic.policy file

To edit the weblogic.policy file, run the following command:

IDM_HOME/common/bin/wlst.sh IDM_HOME/oes/modifygrants.py

Note:

The above command will only work if use the default policy name, weblogic.policy file. If you change the default name for the policy file, then you must open the file in a text editor and add the following lines, as shown in the example: 
grant codeBase "file:${idm.opss.oracle.home}/modules/oracle.jps_${jrf.version}/*" {
    permission java.security.AllPermission;
};
 
grant codeBase "file:${idm.opss.oracle.home}/oes/*" {
    permission java.security.AllPermission;
};
 
grant codeBase "file:${oes.client.home}/-" {
    permission java.security.AllPermission;
};

18.3.2.3 Extracting Apache Derby Template (Optional)

If you are using Apache Derby, then you must extract the oracle.apm_11.1.1.3.0_template_derby.zip file (Located at IDM_HOME/common/templates/applications) and save oracle.apm_11.1.1.3.0_template_derby.jar file to the following location:

IDM_HOME\common\templates\applications

18.3.3 Procedure

Perform the following steps to configure Oracle Entitlements Server in a new WebLogic domain:

Note:

You must have a dedicated Oracle WebLogic Server domain for Oracle Entitlements Server. Do not configure any other Oracle Identity and Access Management components in this domain.

  1. Run the IDM_HOME/common/bin/config.sh script on UNIX or IDM_HOME\common\bin\config.cmd on Windows.

    The Fusion Middleware Configuration Wizard appears.

  2. On the Welcome screen, select the Create a new WebLogic domain option. Click Next.

    The Select Domain Source screen appears.

  3. On the Select Domain Source screen, ensure that the Generate a domain configured automatically to support the following products: option is selected.

    Select the Oracle Entitlements Server - 11.1.1.0 [Oracle_IDM1] option, and click Next.

    Notes:

    • When you select the Oracle Entitlements Server - 11.1.1.0 [Oracle_IDM1] option, the Oracle JRF 11.1.1.0 [Oracle_Common] option is also selected, by default.

    • If you using Apache Derby, then select the Oracle Entitlements Server Derby template.

    The Specify Domain Name and Location screen appears.

  4. Enter a name and a location for the domain to be created, and click Next.

    The Configure Administrator User Name and Password screen appears.

  5. Enter a user name and a password for the administrator. The default user name is weblogic. Click Next.

    The Configure Server Start Mode and JDK screen appears.

    Note:

    When you enter the user name and the password for the administrator, be sure to remember them.

  6. Choose a JDK from the Available JDKs and then select a WebLogic Domain Startup Mode. Click Next.

    Note:

    Ensure that the JDK version you select is Java SE 6 Update 24 or higher.

    The Configure JDBC Component Schema screen is displayed.

  7. On the Configure JDBC Component Schema screen, select the Oracle Entitlements Server schema and the MDS Schema, then specify the Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next.

    Note:

    You get the Schema information from the steps you completed in Section 18.2.2.6, "Creating a Schema for Oracle Entitlement Server".

    The Test JDBC Component Schema screen appears.

  8. Select the component schema you want to test, and click Test Connections. After the test succeeds, click Next.

    The Select Optional Configuration screen appears.

  9. On the Select Optional Configuration screen, you can configure the Administration Server, Managed Servers, Clusters, Machines, Deployments and Services, and RDBMS Security Store. Select the relevant check boxes, and click Next.

    Note:

    This step is optional.

  10. On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain.

A new WebLogic domain to support Oracle Entitlements Server is created in the <MW_HOME>\user_projects\domains directory (on Windows). On UNIX, the domain is created in the <MW_HOME>/user_projects/domains directory.

18.3.4 Starting the Administration Server

You must start the Administration Server by running the following command on the command line:

Windows

MW_HOME\user_projects\domains\domain_name\bin\startWebLogic.cmd

UNIX

MW_HOME/user_projects/domains/domain_name/bin/startWebLogic.sh

18.3.5 Post-Configuration

To complete the configuration, run the following command in the command line:

Note:

Ensure that your Administration Server is up and running.

  1. Run wlst.sh (located at IDM_HOME/common/bin).

  2. Connect to your Administration Server using the following command:

    connect('weblogic-username', 'weblogic-password','t3://host:port')

  3. Run the following WLST(online) command depending on your policy store:

    Oracle Database

    configureOESAdminServer(servertype="DB_ORACLE");

    Table 18-2 WLST Command Oracle Database

    Argument Definition

    domain

    Name of the Oracle Entitlements Server domain. The default value is oes_domain.

    jpsroot

    Specifies the root node in the target repository under which all data is migrated. The default value is cn=jpsroot.

    datasourcename

    Name of the data source. The default value is jdbc/APMDBDS.

    servertype

    Name of the target database server. Enter DB_ORACLE.

    Note:

    You can enter domain, jpsroot, and datasourcename arguments on the command line if you want to change the default values. For example, configureOESAdminServer(domain="oes_domain", servertype="DB_ORACLE", jpsroot="cn=jpsroot", datasourcename="jdbc/APMDBDS")

    Apache Derby

    configureOESAdminServer(servertype="DB_DERBY");

    Table 18-3 WLST Command Apache Derby

    Argument Definition

    domain

    Name of the Oracle Entitlements Server domain. The default value is oes_domain.

    jpsroot

    Specifies the root node in the target repository under which all data is migrated. The default value is cn=jpsroot.

    datasourcename

    Name of the data source. The default value is jdbc/APMDBDS.

    servertype

    Name of the target database server. Enter DB_DERBY.

    Note:

    You can enter domain, jpsroot, and datasourcename arguments in the command line, if you want to change the default values. For example, configureOESAdminServer(domain="farm", servertype="DB_DERBY", jpsroot="cn=root", datasourcename="jdbc/APMDBDS");.

    For more information about WLST command, see Oracle Fusion Middleware Oracle WebLogic Scripting Tool and Oracle Fusion Middleware WebLogic Scripting Tool Command Reference.

  4. Restart the Oracle Entitlements Server Administration Server as described in Restarting Servers.

18.3.6 Verifying Oracle Entitlements Server Configuration

To verify that your Oracle Entitlements Server Administration Server configuration was successful, use the following URL to log in to the Oracle Entitlements Server Administration Console:

http://hostname:port/apm/

Where hostname is the DNS name or IP address of the Administration Server and port is the address of the port on which the Administration Server listens for requests.

For more information, see the section "Logging In to and Signing Out of the User Interface" in the Oracle Fusion Middleware Administrator's Guide for Oracle Entitlements Server.

18.4 Installing OES Client

This section contains the following topic:

18.4.1 Prerequisites

You must install and configure Oracle Entitlements Server Administration Server, as described in Installing Oracle Entitlements Server Administration Server and Configuring Oracle Entitlements Server Administration Server.

18.4.2 Obtaining OES Client Software

For more information on obtaining OES Client 11g software, see Oracle Fusion Middleware Download, Installation, and Configuration ReadMe.

18.4.3 Installing OES Client

To install Oracle Entitlements Server 11g Release 1 (11.1.1.5.0) installation, extract the content of oesclient.zip to your local directory and then run setup.exe (for Windows) or./runInstaller (for UNIX) from the Disk1 directory.

Note:

The installer prompts you to enter the absolute path of the JDK that is installed on your system. When you install Oracle WebLogic Server, the jdk160_24 directory is created under your Middleware Home. You must enter the absolute path of the JRE folder located in this JDK when launching the installer. For example, on Windows, if the JRE is located in C:\oracle\Middleware\jdk160_24, then launch the installer from the command prompt as follows:

C:\setup.exe -jreLoc C:\oracle\Middleware\jdk160_24\jre

You must specify the -jreLoc option on the command line when using the JDK to avoid installation issues.

Follow the instructions in Table 18-4 to install OES Client.

If you need additional help with any of the installation screens, click Help to access the online help.

Table 18-4 Installation Flow for the OES Client

No. Screen Description and Action Required

1

Welcome

Click Next to continue.

2

Prerequisite Checks

If all prerequisite checks pass inspection, then click Next to continue.

3

Specify Installation Location

In the Oracle Home Directory field, enter the directory where you want to save the OES client installation to. This directory is also referred to as OES_Client_Home in this book.

Oracle Entitlements Server Client does not require a Middleware Home with the Oracle WebLogic Server installed.

Oracle recommends that you save the OES client installation in a separate directory in the same Middleware Home where the Oracle Entitlements Server Administration server is installed. For example, MW_HOME/Oracle_OESClient.

Click Next to continue.

4

Installation Summary

The Installation Summary Page screen displays a summary of the choices that you made. Review this summary and decide whether to start the installation. If you want to modify any of the configuration settings at this stage, select a topic in the left navigation page and modify your choices. To continue installing OES Client Management, click Install.

5

Installation Progress

If you are installing on a UNIX system, you may be asked to run the ORACLE_HOME/oracleRoot.sh script to set up the proper file and directory permissions.

Click Next to continue.

8

Installation Complete

Click Finish to dismiss the installer.

This installation process copies the Identity Management software to your system and creates an IDM_Home directory under your Middleware Home. You must proceed to create a WebLogic Domain, by running the Oracle Fusion Middleware Configuration Wizard. In addition, you must configure the Administration Server settings while creating the domain.

18.4.4 Verifying OES Client Installation

To verify that your OES Client install was successful, go to your Oracle Home directory which you specified during installation and verify that the OES Client installation files are created.

18.5 Configuring OES Client

OES Client distributes policies to individual Security Modules that protect applications and services. Policy data is distributed in a controlled manner or in a non-controlled manner. The distribution mode is defined in the jps-config.xml configuration file for each Security Module. The specified distribution mode is applicable for all Application Policy objects bound to that Security Module.

Note:

Oracle recommends that you to configure OES Client in the controlled distribution mode.

This section describes how to configure the following:

18.5.1 Configuring Security Modules in a Controlled Mode (Quick Configuration)

These section describes how to configure the Security Module quickly using pre-existing smconfig.prp files.

18.5.1.1 Configuring Java Security Module in a Controlled Mode

To configure Java Security Module instance in a controlled distribution mode, do the following:

  1. Open smconfig.java.controlled.prp file (Located at, OES_CLIENT_HOME/oessm/SMConfigTool) in a text editor, and then specify the parameters described in Table 18-5.

  2. Run the config.sh (Located at OES_CLIENT_HOME/oessm/bin on UNIX) or config.cmd (Located at OES_CLIENT_HOME\oessm\bin on Windows) as follows:

    config.sh –smConfigId <SM_NAME> -prpFileName OES_CLIENT_HOME/oessm/SMConfigTool/smconfig.java.controlled.prp

  3. When prompted, specify the following:

    • Oracle Entitlements Server user name (This is the Administration Server's user name).

    • Oracle Entitlements Server password (This is the Administration Server's password)

    • New key store password for enrollment

18.5.1.2 Configuring RMI Security Module in a Controlled Mode

To configure RMI Security Module instance in a controlled distribution mode, then do the following:

  1. Open smconfig.rmi.controlled.prp file (Located at OES_CLIENT_HOME/oessm/SMConfigTool) in a text editor, and then specify the parameters described in Table 18-5.

  2. Run the config.sh (Located at OES_CLIENT_HOME/oessm/bin on UNIX) or config.cmd (Located at OES_CLIENT_HOME\oessm\bin on Windows) as follows:

    config.sh –smConfigId <SM_NAME> -RMIListeningPort <RMISM_PORT> -prpFileName OES_CLIENT_HOME/oessm/SMConfigTool/smconfig.rmi.controlled.prp

  3. When prompted, specify the following:

    • Oracle Entitlements Server user name (This is the Administration Server's user name)

    • Oracle Entitlements Server Password (This is the Administration Server's password)

    • New key store password for enrollment

18.5.1.3 Configuring Web Service Security Module in a Controlled Mode

To configure Webservice Security Module instance in a controlled distribution mode, do the following:

  1. Open smconfig.ws.controlled.prp file (Located at OES_CLIENT_HOME/oessm/SMConfigTool) in a text editor, and then specify the parameters described in Table 18-5.

  2. Run the config.sh (Located at OES_CLIENT_HOME/oessm/bin on UNIX) or config.cmd (Located at OES_CLIENT_HOME\oessm\bin on Windows) as follows:

    config.sh –smConfigId <SM_NAME> -WSListeningPort <WSSM_PORT> -prpFileName OES_CLIENT_HOME/oessm/SMConfigTool/smconfig.ws.controlled.prp

  3. When prompted, specify the following:

    • Oracle Entitlements Server user name (This is the Administration Server's user name)

    • Oracle Entitlements Server password (This is the Administration Server's password)

    • Key store password for enrollment

18.5.1.4 Configuring Oracle WebLogic Server Security Module in a Controlled Mode

To configure Oracle WebLogic Server Security Module instance in a controlled distribution mode, do the following:

  1. Open smconfig.wls.controlled.prp file (Located at OES_CLIENT_HOME/oessm/SMConfigTool) in a text editor, and then specify the parameters described in Table 18-5.

  2. Run the config.sh (Located at OES_CLIENT_HOME/oessm/bin on UNIX) or config.cmd (Located at OES_CLIENT_HOME\oessm\bin for Windows) as follows:

    config.sh –smConfigId <SM_NAME> -prpFileName $OES_CLIENT_HOME/oessm/SMConfigTool/smconfig.wls.controlled.prp –serverLocation <Location of Web Logic Server Home

  3. Create a OES Client, as described in Section 18.5.4, "Creating the OES Client Domain".

18.5.2 Configuring Distribution Modes

For more information about distribution modes, see the section "Defining Distribution Modes" in the Oracle Fusion Middleware Developer's Guide for Oracle Entitlements Server.

The following sections explains how to configure distribution modes.

18.5.2.1 Configuring Controlled Distribution

To configure a controlled Distribution mode, open the smconfig.prp file (Located at OES_CLIENT_HOME/oessm/bin/SMConfigTool) in a text editor, and edit the following parameters described in Table 18-5.

Table 18-5 smconfig.prp File Parameters (Controlled Distribution)

Parameter Description

oracle.security.jps.runtime.pd.client.policyDistributionMode

Accept the default value controlled-push as the distribution mode.

oracle.security.jps.runtime.pd.client.RegistrationServerHost

Enter the address of the Oracle Entitlements Server Administration Server.

oracle.security.jps.runtime.pd.client.RegistrationServerPort

Enter the SSL port number of the Oracle Entitlements Server Administration Server. You can find the SSL port number from the WebLogic Administration console.

18.5.2.2 Configuring Non-Controlled and Controlled Pull Distribution Mode

Open the smconfig.prp file (Located at OES_CLIENT_HOME/oessm/bin/SMConfigTool) in a text editor and edit the following parameters described in Table 18-6.

Table 18-6 smconfig.prp File Parameters Non- Controlled Distribution

Parameter Description

oracle.security.jps.runtime.pd.client.policyDistributionMode

Enter non-controlled or controlled-pull as the distribution mode.

oracle.security.jps.policystore.type

Specify the policy store type. For example, DB for Oracle Database, OID for Oracle Internet Directory, and Derby for Apache Derby.

jdbc.url

Specify your database policy store JDBC URL.

ldap.url

Specify your LDAP URL.

oracle.security.jps.farm.name

Specify your domain name. The default value is cn=oes_domain.

oracle.security.jps.ldap.root.name

Specify the root name of jps context. The default value is cn=jpsroot.

When prompted, specify the following:

  • Oracle Entitlements Server user name (This is the Administration Server's user name).

  • Oracle Entitlements Server password (This is the Administration Server's password)

  • New key store password for enrollment

18.5.3 Configuring Security Module

OES Client includes the following Security Modules:

  • Java Security Module

  • Multi-Protocol Security Module

  • WebLogic Security Module

For more information, see "Understanding the Types of Security Modules" in the Oracle Fusion Middleware Administrator's Guide for Oracle Entitlements Server.

18.5.3.1 Creating Java Security Module

The Java Security Module is a generic Policy Decision Point that provides authorization decisions using Java API. This Security Module can be configured on:

Java Standard Edition (JSE)

To create a Java Security Module instance, you must run the config.sh (Located at OES_CLIENT_HOME/oessm/bin on UNIX) or config.cmd (Located at OES_CLIENT_HOME\oessm\bin on Windows) as follows:

Note:

If you are using Java Security Module in the proxy mode with Web Service Security Module or RMI Security Module, then you must use oes-ws-client.jar or oes-rmi-client.jar and ensure that you do not use oes-client.jar.
config.sh -smType java -smConfigId mySM_Java_Controlled -pdServer <oes_server_address> -pdPort <oes_server_ssl_port>

In controlled push mode, you will be prompted for the Oracle Entitlements Server Administration Server username, password, and a new key store password for enrollment.

In non-controlled and controlled pull modes, you will be prompted for Oracle Entitlements Server schema username, and Password.

Table 18-7 describes the parameters you specify on the command line.

Table 18-7 JSE Security Module Parameters

Parameter Distribution Mode Description

smType

All

Type of security module instance you want to create. For example, java.

smConfigId

All

Name of the security module instance. For example, mySM_java.

pdServer

controlled-push

The address of the Oracle Entitlements Server Administration Server.

pdPort

controlled-push

The SSL port number of the Oracle Entitlements Server Administration Server. For example, 7002.

The Java Security Module Instance is created at OES_CLIENT_HOME/oes_sm_instances/mySM_java. If you use the default values described in Table 18-7.

IBM WebSphere

To configure Java Security Module on IBM WebSphere, complete the following steps:

  1. Create a new application server using the IBM WebSphere console and name it OesServer.

  2. Start the Oracle Entitlements Server (OesServer) you created for IBM WebSphere.

  3. Deploy was-client.war (Located at OES_CLIENT_HOME/oessm/pd) to the Oracle Entitlements Server you created.

  4. Open the smconfig.prp file in a text editor and specify the pd client port and the pd app client context. The pd client port number is the SSL port number of the IBM WebSphere application server and pd app client contex is the location where the was-client.jar is deployed. For example:

    oracle.security.jps.pd.was.client.appcontext=pd-client
oracle.security.jps.pd.clientPort=8002

  5. Run the config.sh command as follows:

    $OES_CLIENT_HOME/oessm/bin/config.sh -smType was -smConfigId mySM_WAS -pdServer <oes_admin_server> -pdPort <oes_admin_port> -serverNodeName <was_node_name> -serverName <server_name> -serverLocation WAS_HOME

    WAS_HOME is the location of the IBM WebSphere Application Server.

    For any distribution mode you choose, you must specify the IBM WebSphere server user name and password, when prompted.

    In controlled push mode, you will be prompted for Oracle Entitlements Server Administration Server user name, Oracle Entitlements Server Administration Server password, and a new key store password for enrollment.

    In non-controlled and controlled-pull modes, you will be prompted for Oracle Entitlements Server schema user name and password.

    Table 18-8 describes the parameters you specify on the command line.

    Table 18-8 IBM WebSphere Security Module Parameter

    Parameter Distribution Mode Description

    smType

    All

    Type of security module instance you want to create. For example, was.

    smConfigId

    All

    Name of the security module instance. For example, mySM_WAS.

    pdServer

    controlled-push

    The address of the Oracle Entitlements Server Administration Server.

    pdPort

    controlled-push

    The SSL port number of the Oracle Entitlements Server Administration Server. For example, 7002.

    serverLocation

    All

    Location of the IBM WebSphere Server.

  6. Configure SSL for the IBM WebSphere application server as follows:

    1. Import the Oracle WebLogic Server demo trust certificate into IBM WebSphere node default trust keystore and cell default trust keystore by using keytool to export WLS demo trust certificate from WLS demo trust keystore file, or OES trust.jks file into a .der, as shown in the following example:

      keytool -exportcert -keystore $OES_CLIENT_HOME/oessm/enroll/DemoTrust.jks -alias wlscertgencab -file ~/was.der

    2. Import the was.der file into WAS node default trust keystore and cell default trust keystore. as follows:

      • You may find the import in IBM WebSphere Administration Server console:

        security->SSL certificate and key management -> Key stores and certificates -> <NodeDefaultTrustStore> <CellDefaultTrustStore> (here you need to choose one name) -> Signer certificates.

      • Click Add.

      • Enter an alias. For example, WLS.

      • Choose the .der file that you exported earlier, and select data type as DER.

    3. Import the issued private key into the IBM WebSphere node default keystore as follows:

      • You may find the import in IBM WebSphere Administration Server console:

        security->SSL certificate and key management -> Key stores and certificates -> NodeDefaultKeyStore -> Personal certificates.

      • Click Import.

      • Select Keystore and enter the path to the keystore file (Located at OES_CLIENT_HOME/oes_sm_instances/mySM_WAS/security/identity.jks)

      • Select JKS as type and enter the password you used to create the keystore file.

      • The certificate alias name is the same name as the hostname.

        Note:

        You must import demo trust certificate into two trust stores for the WAS ND edition. For the private key, you must import one keystore.

    4. Enable Inbound SSL for the server running IBM WebSphere Security Module as follows:

      • In the IBM WebSphere administration console, go to Security >SSL certificate and key management -> Manage endpoint security configurations.

      • Expand inbound tree to get:Inbound->DefaultCell(CellDefaultSSLSettings) -> nodes -> DefaultCellFederatedNode -> servers -> <server name running IBM WebSphere Security Module> and select the server.

      • In the General Properties page, select Override inherited values.

      • From the SSL configuration list, select NodeDefaultSSLSettings.

      • Click Update certificate alias list button and then choose the new imported private key alias in the Certificate alias in key store list.

      • Click Apply.

    5. Enable Out bound SSL for the server running IBM WebSphere Security Module, follows:

      • In the IBM WebSphere administration console, go to Security >SSL certificate and key management -> Manage endpoint security configurations.

      • Expand inbound tree to get:Outbound->DefaultCell(CellDefaultSSLSettings) -> nodes -> DefaultCellFederatedNode -> servers -> <server name running IBM WebSphere Security Module> and select the server.

      • In the General Properties page, select Override inherited values.

      • From the SSL configuration list, select NodeDefaultSSLSettings.

      • Click Update certificate alias list and choose the new imported private key alias in the Certificate alias in key store list.

      • Click Apply.

18.5.3.2 Creating Multi-Protocol Security Module

The Multi-Protocol Security Module is an authorization service (based on service-oriented architecture principles) wrapped around a generic Java Security Module. This section describes how to configure Multi-Protocol Security Module using:

RMI

To configure a RMI Security Module Instance, you must run the config.sh (Located at OES_CLIENT_HOME/oessm/bin for UNIX) or config.cmd (Located at OES_CLIENT_HOME\oessm\bin for Windows) as follows:

config.sh -smType rmi -smConfigId mySM_Rmi_Controlled -pdServer <oes_server_address> -pdPort <oes_server_ssl_port> -RMIListeningPort 9405

In controlled push mode, when prompted, specify the Oracle Entitlements Server Administration Server user name, Oracle Entitlements Server Administration Server password, and a new key store password for enrollment.

In non-controlled and controlled-pull distribution modes when prompter specify the Oracle Entitlements Server schema username and password.

Table 18-9 describes the parameters you specify on the command line.

Table 18-9 RMI Security Module Parameters

Parameter Distribution Mode Description

smType

All

The type of security module instance you want to create. For example, rmi.

smConfigId

All

The name of the security module instance. For example, mySM_rmi_Controlled.

pdserver

controlled-push

The address of the Oracle Entitlements Server Administration Server.

pdPort

controlled-push

The SSL port of the Oracle Entitlements Server Administration Server. For example, 7002.

RMIListeningPort

All

The RMI listening port. For example, 9405.

This command also creates client configuration for the RMI Security Module Instance.

Web Service

To create a Webservice Security Module instance, you must run the config.sh (Located at OES_CLIENT_HOME/oessm/bin for UNIX) or config.cmd (Located at OES_CLIENT_HOME\oessm\bin for Windows) as follows:

config.sh -smType ws -smConfigId mySM_Ws_Controlled -pdServer <oes_server_address> -pdPort <oes_server_ssl_port> -WSListeningPort 9410

In controlled push mode, when prompted, specify the Oracle Entitlements Server Administration Server user name, Oracle Entitlements Server Administration Server password, and a new key store password for enrollment.

In non-controlled and controlled-pull distribution modes when prompted, specify the Oracle Entitlements Server schema user name and password.

Table 18-10 describes the parameters you specify on the command line.

Table 18-10 Web Service Security Module Parameter

Parameters Distribution Mode Description

smType

All

Type of security module instance you want to create. For example, ws.

smConfigId

All

Name of the security module instance. For example, mySM_ws_Controlled.

pdserver

controlled-push

The address of the Oracle Entitlements Server Administration Server.

pdPort

controlled-push

The SSL port of the Oracle Entitlements Server Administration Server. For example, 7002.

WSListeningPort

All

The web service listening port. For example, 9410.

This command also creates client configuration for Webservice Security Module Instance.

18.5.3.3 Creating WebLogic Security Module

The WebLogic Security Module is a custom Java Security Module that includes both a Policy Decision Point and a Policy Enforcement Point. It can receive requests directly from the WebLogic Server without the need for explicit authorization API calls. It will only run on the WebLogic Server container.

To configure a WebLogic Server Security Module instance, you must run the config.sh (Located at OES_CLIENT_HOME/oessm/bin on UNIX) or config.cmd (Located at OES_CLIENT_HOME\oessm\bin on Windows) as follows:

config.sh -smType wls -smConfigId mySM_WLS -pdServer <oes server> -pdPort <oes_server_ssl_port>  -serverLocation MW_HOME/wlserver_10.3/

In non-controlled and controlled-pull distribution modes, when prompted, specify the Oracle Entitlements Server schema user name and password.

Table 18-11 described the parameters you specify on the command line.

Table 18-11 Oracle WebLogic Server Security Module Parameters

Parameter Distribution Mode Description

smType

All

Type of security module instance you want to create. For example, WLS.

smConfigId

All

Name of the security module instance. For example, mySM_WLS_Controlled.

pdServer

controlled-push

Address of the Oracle Entitlements Server Administration server.

pdPort

controlled-push

The SSL port of the Oracle Entitlements Server Administration server. For example, 7002.

serverLocation

All

Location of the Oracle WebLogic Server.

The Configuration Wizard is displayed. Create a OES Client as described in Section 18.5.4, "Creating the OES Client Domain".

18.5.3.4 Configuring the PDP Proxy Client

Configure a PDP Proxy Client for your web service Security Module or RMI Security Module, as described in Table 18-12:

Table 18-12 PDP Proxy Client Security Module Parameters

Parameter Description

oracle.security.jps.pdp.isProxy

Specify true as the value.

oracle.security.jps.pdp.PDPTransport

Specify Web Service (WS) or RMI.

oracle.security.jps.pdp.proxy.PDPAddress

Specify http://hostname:port (WS) or rmi://hostname:port (RMI).

You must run the config.sh (Located at OES_CLIENT_HOME/oessm/bin on UNIX) or config.cmd (Located at OES_CLIENT_HOME\oessm\bin on Windows) as shown in the following example:

For Java Security Module:

OES_CLIENT_HOME/oessm/bin/config.sh -smType <SM_TYPE> -smConfigId <SM_NAME>

The SM_TYPE can be java, wls, or was. and for SM_NAME enter an appropriate name.

18.5.4 Creating the OES Client Domain

To create the OES Client domain, complete the following steps:

Note:

You can extend an existing Oracle WebLogic Server domain for Oracle Entitlements Server. Any existing domain with JRF is not supported.

  1. The Fusion Middleware Configuration Wizard appears after you invoke the Security Module configuration tool.

  2. On the Welcome screen, select the Create a new WebLogic domain option. Click Next.

    The Select Domain Source screen appears.

  3. On the Select Domain Source screen, ensure that the Generate a domain configured automatically to support the following products: option is selected.

    Select the Oracle Entitlements Server WebLogic Security Module - 11.1.1.0 [OESCLIENT] option. Click Next.

    Note:

    Ensure that you do not select the domain template associated with the Oracle Entitlements Server Administration Server from the IDM_HOME.

    The Specify Domain Name and Location screen appears.

  4. Enter a name and a location for the domain to be created, and click Next.

    The Configure Administrator User Name and Password screen appears.

  5. Enter a user name and a password for the administrator. The default user name is weblogic. Click Next.

    The Configure Server Start Mode and JDK screen appears.

    Note:

    When you enter the user name and the password for the administrator, be sure to remember them.

  6. Choose a JDK from the Available JDKs and then select a WebLogic Domain Startup Mode. Click Next.

    Note:

    Ensure that the JDK version you select is Java SE 6 Update 24 or higher.

    The Select Optional Configuration screen is displayed.

  7. On the Select Optional Configuration screen, select Administration Server and Managed Servers, Clusters and Machines, Deployments and Services check boxes and click Next.

    The Configure the Administration Servers screen is displayed.

  8. In the Configure the Administration Servers screen, enter the following details:

    • Name: Valid server names are a string of characters (alphabetic and numeric). The name must be unique in the domain. For example, AdminServer.

    • Listen address: From the drop-down list, select a value for the listen address. See Specifying the Listen Address for information about the available values.

    • Listen port—Enter a valid value for the listen port to be used for regular, nonsecure requests (through protocols such as HTTP and T3). The default value is the next available listen port. If you leave this field blank, the default value is used. For example, 8001.

    • SSL enabled—Select this check box to enable the SSL listen port. By default, SSL is disabled for all new servers.

    • SSL listen port—Enter a valid value to be used for secure requests (through protocols such as HTTPS and T3S). The default value is the next available listen port. If you leave this field blank, the default value is used. For example, 8002.

      Note:

      After you specify the SSL listen port value, you must update the oracle.security.jps.pd.clientPort property in the smconfig.wls.controlled.prp file or smconfig.prp file with the SSL listen port value. You must then run the smconfig tool for Oracle WebLogic Server Security Module and set the Administration Server SSL port to the port specified in oracle.security.jps.pd.clientPort.

  9. In the Configure Managed Servers screen, click Add and create two Managed Servers. Enter the following information:

    • Name: Enter OES_ManagedServer_1 and OES_ManagedServer_2.

    • Listen address: From the drop-down list, select a value for the listen address for OES_ManagedServer_1 and OES_ManagedServer_2.

    • Listen port—Enter a valid value for the listen port to be used for OES_ManagedServer_1 and OES_ManagedServer_2. The default value is the next available listen port. If you leave this field blank, the default value is used. The valid listen port range is 1 to 65535.

    • SSL enabled—Select this check box to enable the SSL listen port. By default, SSL is disabled for all new servers.

    • SSL listen port—Enter a valid value to be used for secure requests (through protocols such as HTTPS and T3S) for OES_ManagedServer_1 and OES_ManagedServer_2. The default value is the next available listen port. If you leave this field blank, the default value is used. The valid listen port range is 1 to 65535.

    Click Next.

  10. The Configure Clusters screen is displayed, click Next.

  11. The Configure Machines screen is displayed, click Next.

  12. On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain.

  13. Create three directories under DOMAIN_HOME/config/oeswlssmconfig and name them as follows:

    • AdminServer

    • OES_ManagedServer_1

    • OES_ManagedServer_2

  14. Select and copy all the files except the new folder you created above in DOMAIN_HOME/config/oeswlssmconfig and paste them to the following newly created folders:

    • AdminServer

    • OES_ManagedServer_1

    • OES_ManagedServer_2

  15. Open jps-config.xml (Located at DOMAIN_HOME/config/oeswlssmconfig/OES_ManagedServer_1) and specify the OES_ManagedServer_1 Managed Server host name and port number for oracle.security.jps.runtime.pd.client.DistributionServiceURL.

  16. Open jps-config.xml (Located at DOMAIN_HOME/config/oeswlssmconfig/OES_ManagedServer_2) and specify the OES_ManagedServer_2 Managed Server host name and port number for oracle.security.jps.runtime.pd.client.DistributionServiceURL.

  17. Open setDomainEnv.sh (UNIX) or setDomainEnv.cmd (Windows) in a text editor and edit the line -Doracle.security.jps.config=${DOMAIN_HOME}/config/oeswlssmconfig/jps-config.xml as follows:

    b.-Doracle.security.jps.config=${DOMAIN_HOME}/config/oeswlssmconfig/${SERVER_NAME}/jps-config.xml

18.5.5 Locating Security Module Instances

The Oracle Entitlements Server security module instances are created in the OES_CLIENT_HOME/oes_sm_instances. directory.

For Oracle WebLogic Server security module, the domain configuration is located at DOMAIN_HOME/config/oeswlssmconfig.

You can create, delete, or modify the security module instances, as required.

18.5.6 Using the Java Security Module

After configuring Java Security Module for your program, you must start the Java Security module for your program by completing the following:

  1. Set a new Java System Property with the location of the jps-config.xml created at OES_CLIENT_HOME/oes_sm_instances/<SM_NAME>/config/jps-config.xml. as the value.

  2. Enter oes-client.jar (Located at OES_CLIENT_HOME/modules/oracle.oes_sm.1.1.1) into the Classpath of the program.

18.6 Getting Started with Oracle Entitlements Server After Installation

After installing Oracle Entitlements Server, refer to the following documents: